Filter objects by namespace, type, labels or resource policies.
This page describes how to filter resource for backup and restore.
User could use the include and exclude flags with the velero backup
and velero restore
commands. And user could also use resource policies to handle backup.
By default, Velero includes all objects in a backup or restore when no filtering options are used.
Only specific resources are included, all others are excluded.
Wildcard takes precedence when both a wildcard and specific resource are included.
Namespaces to include. Default is *
, all namespaces.
Backup a namespace and it’s objects.
velero backup create <backup-name> --include-namespaces <namespace>
Restore two namespaces and their objects.
velero restore create <backup-name> --include-namespaces <namespace1>,<namespace2>
Kubernetes resources to include in the backup, formatted as resource.group, such as storageclasses.storage.k8s.io (use *
for all resources). Cannot work with --include-cluster-scoped-resources
, --exclude-cluster-scoped-resources
, --include-namespace-scoped-resources
and --exclude-namespace-scoped-resources
.
Backup all deployments in the cluster.
velero backup create <backup-name> --include-resources deployments
Restore all deployments and configmaps in the cluster.
velero restore create <backup-name> --include-resources deployments,configmaps
Backup the deployments in a namespace.
velero backup create <backup-name> --include-resources deployments --include-namespaces <namespace>
Includes cluster-scoped resources. Cannot work with --include-cluster-scoped-resources
, --exclude-cluster-scoped-resources
, --include-namespace-scoped-resources
and --exclude-namespace-scoped-resources
. This option can have three possible values:
true
: all cluster-scoped resources are included.
false
: no cluster-scoped resources are included.
nil
(“auto” or not supplied):
Cluster-scoped resources are included when backing up or restoring all namespaces. Default: true
.
Cluster-scoped resources are not included when namespace filtering is used. Default: false
.
--include-cluster-resources=false
.Backup entire cluster including cluster-scoped resources.
velero backup create <backup-name>
Restore only namespaced resources in the cluster.
velero restore create <backup-name> --include-cluster-resources=false
Backup a namespace and include cluster-scoped resources.
velero backup create <backup-name> --include-namespaces <namespace> --include-cluster-resources=true
Include resources matching the label selector.
velero backup create <backup-name> --selector <key>=<value>
Include resources that are not matching the selector
velero backup create <backup-name> --selector "<key> notin (<value>)"
For more information read the Kubernetes label selector documentation
To include the resources that match at least one of the label selectors from the list. Separate the selectors with or
. The or
is used as a separator to split label selectors, and it is not an operator.
This option cannot be used together with --selector
.
Include resources matching any one of the label selector, foo=bar
or baz=qux
velero backup create backup1 --or-selector "foo=bar or baz=qux"
Include resources that are labeled environment=production
or env=prod
or env=production
or environment=prod
.
velero restore create restore-prod --from-backup=prod-backup --or-selector "env in (prod,production) or environment in (prod, production)"
Kubernetes cluster-scoped resources to include in the backup, formatted as resource.group, such as storageclasses.storage.k8s.io
(use ‘*’ for all resources). Cannot work with --include-resources
, --exclude-resources
and --include-cluster-resources
. This parameter only works for backup, not for restore.
Backup all StorageClasses and ClusterRoles in the cluster.
velero backup create <backup-name> --include-cluster-scoped-resources="storageclasses,clusterroles"
Backup all cluster-scoped resources in the cluster.
velero backup create <backup-name> --include-cluster-scoped-resources="*"
Kubernetes namespace resources to include in the backup, formatted as resource.group, such as deployments.apps
(use ‘*’ for all resources). Cannot work with --include-resources
, --exclude-resources
and --include-cluster-resources
. This parameter only works for backup, not for restore.
Backup all Deployments and ConfigMaps in the cluster.
velero backup create <backup-name> --include-namespace-scoped-resources="deployments.apps,configmaps"
Backup all namespace resources in the cluster.
velero backup create <backup-name> --include-namespace-scoped-resources="*"
Exclude specific resources from the backup.
Wildcard excludes are ignored.
Namespaces to exclude.
Exclude kube-system from the cluster backup.
velero backup create <backup-name> --exclude-namespaces kube-system
Exclude two namespaces during a restore.
velero restore create <backup-name> --exclude-namespaces <namespace1>,<namespace2>
Kubernetes resources to exclude, formatted as resource.group, such as storageclasses.storage.k8s.io. Cannot work with --include-cluster-scoped-resources
, --exclude-cluster-scoped-resources
, --include-namespace-scoped-resources
and --exclude-namespace-scoped-resources
.
Exclude secrets from the backup.
velero backup create <backup-name> --exclude-resources secrets
Exclude secrets and rolebindings.
velero backup create <backup-name> --exclude-resources secrets,rolebindings
velero.io/exclude-from-backup=true
are not included in backup, even if it contains a matching selector label.Kubernetes cluster-scoped resources to exclude from the backup, formatted as resource.group, such as storageclasses.storage.k8s.io
(use ‘*’ for all resources). Cannot work with --include-resources
, --exclude-resources
and --include-cluster-resources
. This parameter only works for backup, not for restore.
Exclude StorageClasses and ClusterRoles from the backup.
velero backup create <backup-name> --exclude-cluster-scoped-resources="storageclasses,clusterroles"
Exclude all cluster-scoped resources from the backup.
velero backup create <backup-name> --exclude-cluster-scoped-resources="*"
Kubernetes namespace resources to exclude from the backup, formatted as resource.group, such as deployments.apps
(use ‘*’ for all resources). Cannot work with --include-resources
, --exclude-resources
and --include-cluster-resources
. This parameter only works for backup, not for restore.
Exclude all Deployments and ConfigMaps from the backup.
velero backup create <backup-name> --exclude-namespace-scoped-resources="deployments.apps,configmaps"
Exclude all namespace resources from the backup.
velero backup create <backup-name> --exclude-namespace-scoped-resources="*"
Velero provides resource policies to filter resources to do backup or restore.
There are three actions supported via the VolumePolicy feature:
Below is the two-step of using resource policies to skip backup of volume:
Creating resource policies configmap
Users need to create one configmap in Velero install namespace from a YAML file that defined resource policies. The creating command would be like the below:
kubectl create cm <configmap-name> --from-file <yaml-file> -n velero
Creating a backup reference to the defined resource policies
Users create a backup with the flag --resource-policies-configmap
, which will reference the current backup to the defined resource policies. The creating command would be like the below:
velero backup create --resource-policies-configmap <configmap-name>
This flag could also be combined with the other include and exclude filters above
The policies YAML config file would look like this:
# currently only supports v1 version
version: v1
volumePolicies:
# each policy consists of a list of conditions and an action
# we could have lots of policies, but if the resource matched the first policy, the latter will be ignored
# each key in the object is one condition, and one policy will apply to resources that meet ALL conditions
# NOTE: capacity or storageClass is suited for [Persistent Volumes](https://kubernetes.io/docs/concepts/storage/persistent-volumes), and pod [Volume](https://kubernetes.io/docs/concepts/storage/volumes) not support it.
- conditions:
# capacity condition matches the volumes whose capacity falls into the range
capacity: "10,100Gi"
# pv matches specific csi driver
csi:
driver: ebs.csi.aws.com
# pv matches one of the storage class list
storageClass:
- gp2
- standard
action:
type: skip
- conditions:
capacity: "0,100Gi"
# nfs volume source with specific server and path (nfs could be empty or only config server or path)
nfs:
server: 192.168.200.90
path: /mnt/data
action:
type: skip
- conditions:
nfs:
server: 192.168.200.90
action:
type: fs-backup
- conditions:
# nfs could be empty which matches any nfs volume source
nfs: {}
action:
type: skip
- conditions:
# csi could be empty which matches any csi volume source
csi: {}
action:
type: snapshot
- conditions:
volumeTypes:
- emptyDir
- downwardAPI
- configmap
- cinder
action:
type: skip
Currently, Velero supports the volume attributes listed below:
capacity
range. The capacity value should include the lower value and upper value concatenated by commas, the unit of each value in capacity could be Ti
, Gi
, Mi
, Ki
etc, which is a standard storage unit in Kubernetes. And it has several combinations below:
storageClass
, such as gp2
, ebs-sc
in eksVelero supported conditions and format listed below:
# match volume has the size between 10Gi and 100Gi
capacity: "10Gi,100Gi"
# match volume has the storage class gp2 or ebs-sc
storageClass:
- gp2
- ebs-sc
Specify the volume source name, the name could be nfs
, rbd
, iscsi
, csi
etc, but Velero only support nfs
and csi
currently.
# match any volume has nfs volume source
nfs : {}
# match any volume has csi volume source
csi : {}
Specify details for the related volume source (currently we only support csi driver filter and nfs server or path filter)
# match volume has csi volume source and using `aws.efs.csi.driver`
csi:
driver: aws.efs.csi.driver
# match volume has nfs volume source and using below server and path
nfs:
server: 192.168.200.90
path: /mnt/nfs
For volume provisioned by Persistent Volumes support all above attributes, but for pod Volume only support filtered by volume source.
volume types
Support filter volumes by types
volumeTypes:
# matches volumes listed below
- emptyDir
- downwardAPI
- configmap
- cinder
Volume types could be found in Persistent Volumes and pod Volume
backup.Spec.SnapshotVolumes
has the fourth priority.fs-backup
and snapshot
actions via volume policy featurefs-backup
and snapshot
.snapshot
action via Volume Policy has higher priority if there is a snapshot
action matching for a particular volume, this volume would be backed up via snapshot irrespective of the value of backup.Spec.SnapshotVolumes
.snapshot
matching action then the volume will be backed up via snapshot given that backup.Spec.SnapshotVolumes
is not explicitly set to false.fs-backup
and snapshot
action purposes:We will use a simple application example in which there is an application pod which has 2 volumes:
gp2-csi
gp3-csi
Now lets go through some example uses-cases and their outcomes:
Example 1: User wants to use fs-backup
action for backing up the volumes having storage class as gp2-csi
version: v1
volumePolicies:
- conditions:
storageClass:
- gp2-csi
action:
type: fs-backup
fs-backup
operation only on Volume 1
as only Volume 1
satisfies the criteria for fs-backup
action.Example 2: User wants to use snapshot
action for backing up the volumes having storage class as gp2-csi
version: v1
volumePolicies:
- conditions:
storageClass:
- gp2-csi
action:
type: snapshot
snapshot
operation only on Volume 1
as only Volume 1
satisfies the criteria for snapshot
action.Example 3: User wants to use snapshot
action for backing up the volumes having storage class as gp2-csi
and wants to use fs-backup
action for backing up the volumes having storage class as gp3-csi
version: v1
volumePolicies:
- conditions:
storageClass:
- gp2-csi
action:
type: snapshot
- conditions:
storageClass:
- gp3-csi
action:
type: fs-backup
snapshot
operation only on Volume 1
as only Volume 1
satisfies the criteria for snapshot
action. Also, velero would perform fs-backup
operation only on Volume 2
as only Volume 2
satisfies the criteria for fs-backup
action.Example 4: User wants to use snapshot
action for backing up the volumes having storage class as gp3-csi
and at the same time also annotates the pod to use opt-in fs-backup legacy approach for Volume 1
backup.velero.io/backup-volumes=Volume 1
version: v1
volumePolicies:
- conditions:
storageClass:
- gp3-csi
action:
type: snapshot
snapshot
operation for Volume 2
as it matches the action criteria and velero would also perform the fs-backup
operation for Volume-1
via the legacy annotations based fallback approach as there is no matching action for Volume-1
Example 5: User wants to use fs-backup
action for backing up the volumes having storage class as gp2-csi
and at the same time also specifies defaultVolumesToFSBackup: true
(fallback option for no action matching volumes)
defaultVolumesToFSBackup: true
:version: v1
volumePolicies:
- conditions:
storageClass:
- gp2-csi
action:
type: fs-backup
fs-backup
operation on both the volumes
fs-backup
on Volume 1
because Volume 1
satisfies the criteria for fs-backup
action.fs-backup
operation will be done as defaultVolumesToFSBackup: true
is specified by the user).To help you get started, see the documentation.